b'                  13:27 FAX 301 903\n     12.\'6/0.2 ......\n     ..                                       4656           CAPITAL REGION                                        1]003\n\n OE F f325.8\n\nEFG (07.-0)\n\n\nUnited States Government                                                                         Deparment of Energy\n\n\nmemorandum\n               DATE:         05 2002\n      REPLY TO:        IG-34 (A02AT015)                                       Audit Report Numbser: OAS-L-03-04\n\n       SUBJECT:        Follow-Up Audit on Internet Privacy\n                 TO:   Chief Information Officer, IM-1\n\n                                                                                                   review of the\n                       The purpose of this report is to inform you of the results of our follow-up\n                                                                             This  review  was performed  from\n                       Department of Energy\'s Internet Privacy initiatives.\n                       June 2002 to October 2002 at Department Headquarters. The review methodology is\n                       described in the attachment to the report.\n\n                       INTRODUCTION AND OBJECTIVE\n                                                                                                        public\n                       Department and OMB guidance expressly prohibit the collection of data fiom\n                       Internet web site visitors through the use of unapproved or undisclosed methods. For\n                       example, persistent cookies are not allowed on any Department Internet w-b page\n                       unless specifically approved by the Secretary. Persistent cookies are techrlologies used\n                       to collect data from public web site visitors that remain on the visitor\'s comrputer even\n                        after it is completely shut down. A very small number of Department wel: pages\n                       possess Secretarial or equivalent approval to use persistent cookies. Additionally,\n                        OMB regulations require that web pages conspicuously post privacy notic es containing\n                        clear and unambiguous language that explains data collection techniques and the\n                        ultimate use of visitor data.\n\n                        In February 2001, the Office of Inspector General issued the Audit on Internet Privacy\n                        (DOE/IG-0493) that evaluated whether the Department\'s method of collecting data\n                        from its public web site visitors was consistent with applicable Federal Regulations.\n                        Our review disclosed that some web pages were collecting data by unapproved or\n                        undisclosed means and a number of web pages did not display conspicuo:.sly located or\n                        clearly written privacy notices.\n\n                        Web page privacy control weaknesses occurred in a number of instances l:ecause the\n                        Department lacked clear and current implementing guidance and did not p:rovide\n                        consistent oversight of site development and operation. As a result, the Department\n                        could not ensure that the privacy of its web page visitors was properly prctected in all\n                        instances as required by Federal privacy regulations.\n\n                        To ensure privacy of Departmental web page visitors, we made a number of\n                        recommendations designed to enhance privacy measures within the Department. Most\n                        significantly, we recommended the review of all publicly accessible web ;ites for\n                        compliance with Federal requirements and the adoption of meaningful In:emet privacy-\n                         specific performance measures.\n\x0c12/!6/02     13:28 FAX 301 903 4656               CAPITAL REGION                                         I004\n\n\n\n\n           To gauge the effectiveness of corrective measures, we conducted a targeted follow-up\n           audit to determine whether persistent cookies were still being used on Depe rtment web\n           sites.\n\n           CONCLUSIONS AND OBSERVATIONS\n\n           Our follow-up review did not reveal any persistent cookies on the 20 randomly selected\n           Department web pages that we tested. These test results are consistent withi the\n           Department\'s actions to implement our earlier recommendations.\n\n           Specifically, we found that:\n\n               1. Prior to our test work, the Department tested approximately 4000 web pages for\n                  persistent cookies and adequate privacy notices. As a result oftho!:.e tests, the\n                  Department found a small number of web pages using persistent cookies. The\n                  Department immediately removed the cookies, and subsequently confirmed that\n                  they had been removed.\n\n               2. The Department also developed a catalog listing web pages and implemented a\n                  process to periodically test a sample of sites listed in the catalog fo:r compliance\n                  with Departmental and OMB guidance.\n\n                3. The Secretary issued a memorandum, dated May 22, 2001, that addressed\n                   Internet privacy requirements and the Department drafted a new Notice that\n                   addresses publicly accessible web servers and includes a section on privacy.\n\n            While the Department had made significant progress toward implementing our\n            recommendations, we found that it has not yet adopted meaningful Internet privacy-\n            specific performance measures. According to an official in the Office of the Chief\n            Information Officer, they were considering various altematives but had nct yet\n            determined a suitable method for measuring performance specific to Internet privacy.\n\n            We continue to believe that meaningful performance measures are a nece, sary\n            management tool for ensuring privacy of Departmental web page visitors.\n            Accordingly, we reaffirm our previous recommendation that the Departmi:nt adopt\n            measures specific to Internet privacy.\n\n            We appreciate the cooperation of your staff throughout the audit.\n\n\n\n                                                                    ckey. Hass, Director\n                                                                  Science, Energy, Technology,\n                                                                   and Financial Audits\n                                                                  Office of Audit Services\n                                                                  Office of Inspector General\n\x0c12/C6/02     13:28 FAX 301 903 4656             CAPITAL REGION                             ] 005\n\n\n\n\n           cc: Director, Office of Independent Oversight and Performance Assurance, OA-1\n\x0c12/0\'6/02     13:28 FAX 301 903 4656                 .CAPITAL REGION                                            i 006\n\n\n\n\n                                                                                        ATTACHMENT\n\n\n            SCOPE AND METHODOLOGY\n\n            To accomplish the audit objective, we:\n                                                                          web pages to establish a\n                    *    Identified and reviewed a list of the Department\n                         universe of Department web sites to be tested;\n                                                                               the U.S. Arny Audit\n                    *     Selected a sample of 20 Department web sites using\n                                                                             6.3);\n                          Statistical Sampling Software application (version\n                                                                      pages for persistent cookies.\n                        . Tested the randomly selected Department web\n                                                                                                  discussing\n                                                     Office of the Chief Information Offi,:;er\n             We also met with an official in the                            and the results tc  date of those\n             actions taken to implement our earlier recommendations\n             actions.\n                                                                         accepted Governm nt auditing\n             The audit was conducted in accordance with generally\n                                                                                                 compliance\n             standards for performance audits and included tests of internal controls and\n             with laws and regulations to the extent necessary to satisfy      the audit objective. Because\n                                              audit, we  did not reassess  internal  controls but rather\n              of the nature of our follow up\n                                                                earlier audit. Due to the limited nature\n              relied on the assessment performed during the\n                                                                         all internal control deficiencies\n              of our review, it would not necessarily have disclosed relied on computer-processed data\n              that may have existed at the time of our audit. We\n                                                                   detecting software to accomplish our\n              in the form of statistical analysis and web cookie\n                                                                       this data, sufficient \':o satisfy our\n               audit objective. We performed limited validation of\n               audit objective.\n                                                                              Headquarters cfficials.\n               An exit conference was waived by cognizant Department\n\x0c12/C./02     13:29 FAX 301 903 4656.   CAPITAL REGION   ]007\n\n\n\n\n           bcc: Sandy Parnes, IG-1\n\x0cDOE F 13325.B                                                                                    CALd-\nEFO (07-0)\n\n\nUnited States Government                                                                     !\')epartmentof Energy\n\nMemorandum\n             DATE:   DEC 05 2002\n     REPLY TO:       IG-34 (A02AT015)                                     Audit Report Number: OAS-L-03-04\n      SUBJECT:       Audit Report on "Follow-Up Audit on Internet Privacy"\n\n               TO:   Team Leader, Audit Liaison Team, ME-2\n\n\n                     This report follows up on our earlier "Audit on Internet Privacy" (DOE/IG-0493). Our\n                     follow-up found that corrective action has not been completed for one of our earlier\n                     recommendations that has already been closed in the Departmental Audit Report\n                     Tracking System (DARTS). Accordingly, the report reaffirms the earlier\n                     recommendation that should be reopened in DARTS and tracked until action is\n                     completed.\n\n                     We appreciate your cooperation.\n\n\n\n\n                                                                        Freeric     . Doggett\n                                                                        Deputy Assistant Ini:spector General\n                                                                         for Audit Services\n                                                                        Office of Inspector General\n\n                     cc: Audit Liaison, IM-10\n\n\n                     Attachment\n\x0c                                 Department of Energy\n                                      Washington, DC 20585\n                                      December 24, 2002\n\n\n\n\nMEMORANDUM FOR WILLIAM S. MAHARAY\n               ASSISTANT INSPECTOR GENERAL FOR\n               AUDIT SERVICES\n\nFROM:            6n RICHARD  H. HOPF, DIRECTOR\n                    OFFICE OF PROCUREMENT                                             T   CE\n                         MANAGEMENT, OMBE\n\nSUBJECT:                 FOLLOW-UP AUDIT OF THE DEPARTMENT\'S MANAGEMENT\n                         OF FIELD CONTRACTOR STAFF ASSIGNED TO THE\n                         WASHINGTON, D.C. AREA (DOE-IG-0414).\n\n                                                                 Hancock and Mr. John Moynihan\nOn November 21, 2002, an exit briefing was held by Mr. Ron\n                                                         audit. I am pleased to hear that you are\nto present the results of the recently completed subject\n                                                                         IG-0414 report\nsatisfied that we have taken the necessary steps to satisfy the previous\n                                                                (DOE)  has improved its\nrecommendations and believe that the Department of Energy\nmanagement of contractors assigned to Headquarters.\n                                                                        I understand that it will\nWhile your letter report will not make any formal recommendations,\n                                                        with the first suggestion to review and\nprovide a few suggestions for consideration. I concur\n                                                                   support personnel and determine\nevaluate the duties performed by field contractor administrative\n                                                                                          using\nwhether these administrative support services could be acquired more economically\n                                                                      managers    that, when\nalternative contracting methods. My office plans to notify account\n                                                                  and related costs should be\nconsidering approval for these assignments, alternative sources\n                                                                             that, for a contractor\nconsidered prior to approval. Additionally, I concur with the suggestion\n                                                                           should identify each\nassignment which is funded by more then one organization, the system\n                                                          from each office. We are in the process\nprogram office and the percentage of funding provided                            identify multiple\n of making database system improvements that will provide the capability to\n                                                                    account administrators will be\n funding sources for each assignment. Once completed, database\n                                                                                  from multiple\n directed to update their respective accounts and, where an assignee is funded\n                                                                       in proportion to the total cost\n sources, to identify each organization and their funding percentage\n                                                                       costs by individual\n of the assignment. The second modification, to accumulate annual\n                                                                                Currently, the\n Headquarters organizations, will be discussed with program organizations.\n                                                                          monthly costs of current\n  database is capable of calculating aggregate annual costs and average\n  assignments.\n\n\n\n\n                                              Primned with soy Inkon recycled paper\n\x0cFinally, I would like to commend your team leader Mr. Ron Hancock and Mr. John Moynihan for\ntheir professionalism and expeditious manner in which they performed the follow-up audit. It\nwas apparent from the onset that the follow-up audit was focused on obtaining verification of our\nimprovements while causing minimal impact to staff resources. Unless notified by your office,.\nwe will consider the audit closed and associated actions completed.\n\n\ncc: Hass, Rickey R., IG-34\n    Doggett, Frederick D., IG-32\n\x0c     12/12/02             16:54 FAX 301 903 4656              CAPITAL REGION                                         L002\n\nDOE F 1325.\n  (8-89)\nEFG(07-90)\n\nUnited States Government                                                                           Department of Energy\n\n\n Memorandum\n                  DATE       DEC 12 2002\n              REPLY TO:    IG-331 (A02AT015)\n              SUBJECT:     Final Report Package for "Follow-Up Audit on Internet Privacy"\n                           Audit Report No.: OAS-L-03-04\n\n                    TO:     Frederick D. Doggett, Deputy Assistant Inspector General for Audit Services\n\n\n                            Attached is the required final report package on the subject audit. The pertinent details are:\n\n                            1. Actual Staff days: 12\n\n                               Actual Elapsed days: 90\n\n                            2. Names of OIG and/or contractor audit staff:\n\n                                   Assistant Director:     George W. Collard\n                                   Team Leader:            Ron Hancock\n                                   Auditor-in-Charge:      Dick Marvin\n                                   Audit Staff:            (None assigned).\n\n                            3. Coordination with Investigations and Inspections:\n                               Due to the nature of this follow-up audit, Investigations and Inspections were not contacted.\n\n\n\n\n                                                                          Rickey R. Hass, Director\n                                                                          Science, Energy, Technology,\n                                                                           and Financial Audits\n                                                                          Office of Audit Services\n                                                                          Office of Inspector Gene:ial\n\n                            Attachments:\n                            1. Final Report (3)\n                            2. Monetary Impact Report\n                            3. Audit Project Summary Report\n                            4. Audit Database Information Sheet\n\x0c12/12/02        16:56 FAX 301 903 4656                  CAPITAL REGION                                               @ 009\n\n\n\n\n                                                                                                         Attachment 2\n\n\n                              MONETARY IMPACT OF REPORT NO.: OAS-L-03-04\n\n\n         1. Title of Audit:     Follow-Up Audit on Internet Privacy\n\n         2. Region/Office:      Science. Energy, Technology, and Financial Audits\n\n         3. Project No.:        A02AT015\n\n         4. Type of Audit:\n\n                 Financial:                                        Performance:          X\n                    Financial Statement                              Economy    and Efficiency            X\n                    Financial Related                                Program Results\n                 Other (specify type):\n\n  5.\n                                                                                                          MGT.     POTENTIAL\n                FINDING                   BETTER USED                      QUESTIONED COSTS             POSITION    BUDGET\n                                                                                                                    IMPACT\n                                               Recurrin _____\n                                  (C)    (D)      (E)       (F)        (G)           (H)         (I)       (J)        (K)\n   (A)               (B)                                                                                             Y=Yes\n                    Title        One    Amount   No.       Total    Questioned   Unsupported    Total   C=Concur\n                                 Time     Per    Yrs.    Amount      Portion       Portion              N=Noncon     N=No\n                                          Year                                                          U-Undec\n\n          N/A                                            N/A                                   N/A\n\n\n\n\n   TOTALS-ALL FINDINGS           SO     s\n                                        $0               s0          0           $0            $0S\n\n\n\n\n    6. Remarks: There is no current monetary impact or potential future savings.\n\n    7. Contractor:                                      10. Approvals:\n    8. Contract No.:                                          Division Director\n                                                              & Date\n     9. Task Order No.:                                        Technical Advisor &\n                                                              Date\n\x0c  12/12/02      16:56 FAX 301 903 4656                                CAPITAL REGION                                  io010\n\n                                                Office of the Inspector General (OIG)\n                                           Audit Project Office Summary (APS)\n                                                                                                                     Page 1\n\nReport run on:                     December 9, 2002 9:49 AM\n\n\n  Audit#: A02AT015                 Ofc:   ATA     Title: FOLLOW-UP ON INTERNET PRIVACY\n\n                                                               ****     Milestones ***\n                                                  ---            --      Planned ----------------\n                                                                         P--                                Actual\n                                                 Profile              End of Survey         Revised\n                                                                       10-SEP-02         10-SEP-02       10-SEP-02\n   Entrance Conference:                         10-SEP-02\n\n   Survey Completed:\n   Field Work Complete:\n   Draft Report Issued:\n   Exit Conference:\n   Completed with Report:                       31-OCT-02\n                                                                                                              90\n                                                                                                              90\n   ---------    Elapsed Days                             51\n   ----------     Staff Days:                             0                     0\n\n   Date Suspended:                                                Date Terminated:\n   Date Reactivated:                                               Date Cancelled:\n    DaysSuspended(Cur/Tot):                      0 (             ) Report Number:\n   Rpt Title:\n\n                                                  ****    Audit Codes and Personnel ****\n\n\n    Aud Type:            Not       Found\n                         Not       Found                                       AD:             Not Found\n    Category:\n    DOE-Org:             Not       Found                                       AIC:     630    MARVIN\n    Maj Iss:             Not       Found                                       HDQ-Mon:        Not Found\n\n    Site:                Not Found                                             ARM:      459   COLLARD\n\n                                                               S**\n                                                                Task Information ****\n\n           Task No:\n           Task Order Dt:                                             CO Tech. Rep:\n           Orig Auth Hrs:                                             Orig Auth Costs:\n            Current Auth:                                             Current Auth Cost:\n            Tot Actl    IPR Hr:                                       Tot Actl Cost:\n\n\n                                                              S***    Time Charges ***\n\n                       Emp/Cont Name                Numdays                 Last Date\n\n                       MARVIN, R                         11.6               30-NOV-02\n\n                       LTotal:                           11.6\n\n                               "                          r***        ATC Information **\n\n    t. Ate      Ate Rank\n                     \xc2\xb7- \xc2\xb7-\xc2\xb7-       Atcdesc\n\x0c12/12/02 _16:57 FAX 301 903 4656              CAPITAL REGION                                     1O011\n\n\n\n\n                                                                                      Attachment 4\n\n                         AUDIT DATABASE INFORMATION SHEET\n\n\n      1. ProjectNo.: A02AT015\n\n      2. Title of Audit: Follow-Up Audit on Internet Privacy\n\n      3. Report No./Date: OAS-L-03-04, December 5, 2002\n\n      4. Management Challenge Area: Information Technology\n\n      5. Presidential Mgmt Initiative: N/A\n\n      6. Secretary Priority/Initiative: N/A\n\n      7. Program Code: MA\n\n      8. Location/Sites: Headquarters\n\n      9. Finding Summary:\n\n          While the Department had made significant progress toward implementing our earlier\n          recommendations, we found that it has not yet adopted meaningful Intern\xe2\x80\xa2t privacy-specific\n          performance measures. According to an official in the Office of the Chie\' Information\n          Officer, they were considering various alternatives but had not yet determined a suitable\n          method for measuring performance specific to Internet privacy. We continue to believe that\n          meaningful performance measures are a necessary management tool for ensuring privacy of\n          Departmental web page visitors. Accordingly, we reaffirm our previous recommendation\n          that the Department adopt measures specific to Internet privacy.\n\n       10. Keywords:\n\n          * Cookies\n          * Internet\n          *    Privacy\n          *    OMBE\n          *    ME\n           *   MA\n           * Follow-up\n           *   Performance\n\x0c      12/06/02         13:27 FAX 301 903    4656          CAPITAL REGION                                        ]002\nDOE F \xc3\xbd25.8,\n\nEPG (07-90)\n\n\n\nUnited States Government                                                                     Department of Energy\n\n\n Memorandum\n              DATE:   DEC 0 5 2002\n      REPLY TO:       IG-34 (A02AT015)                                     Audit Report Numb i;r: OAS-L-03-04\n       SUBJECT:       Audit Report on "Follow-Up Audit on Internet Privacy"\n\n                TO:   Team Leader, Audit Liaison Team, ME-2\n\n\n                      This report follows up on our earlier "Audit on Internet Privacy" (DOE/IG.-0493). Our\n                      follow-up found that corrective action has not been completed for one of oar earlier\n                      recommendations that has already been closed in the Departmental Audit Report\n                      Tracking System (DARTS). Accordingly, the report reaffirms the earlier\n                      recommendation that should be reopened in DARTS and tracked until action is\n                      completed.\n\n                      We appreciate your cooperation.\n\n\n\n\n                                                                         Fre eric    . Doggett\n                                                                         Deputy Assistant Inspector General\n                                                                          for Audit Services\n                                                                         Office of Inspector General\n\n                      cc: Audit Liaison, IM-10.\n\n\n                      Attachment\n\x0c'